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Method for checking the authorization of users 

XA/J 

Field of the invention 



The present invention concerns a method for checking the 
authorization of persons, for example the authorization of users of public 
5 transportation or of public places such as airports, cinemas, theaters, 
exhibitions etc. 
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2 Related Art 

m 

ify Electronic systems and methods are known for checking the 

authorization of persons to be allowed to use services they need and if 
10 necessary for billing the use of these services. The patent document 
EP0465456 describes for example a system for billing the use of public 
transportation. Trains or buses are equipped at the doors with readers in 
order to record the ingress and egress of passengers who have been 
provided with a contactless chip-card. The passengers' time of ingress and 
15 egress is forwarded to a central that determines with the aid of a timetable 
the traveled distance and that bills the latter to the passengers on a 
monthly basis. 
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The system described in EP0465456 has the disadvantage that 
billing on the basis of a timetable may lead to incorrect results when delays 

20 occur in the traffic network. Furthermore, this system is suitable only for 
determining and billing the use of specially equipped vehicles in which the 
travel authorization is checked only at the doors. In many complex traffic 
networks, it is however not possible or desirable to forgo in all vehicles the 
manual checking of tickets. Equipping older vehicles with readers at the 

25 doors often involves a lot of expenditure. Furthermore, the passengers 

often require controllers in the trains in order to receive travel information 
and to ensure security in night subway trains. Moreover, this system can be 
outsmarted by passengers who for example slip their chip-card through a 
window rather than through the door. 
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It is an aim of the present invention to propose new and better 
methods and systems for checking the users' authorization, for example the 
travel authorization of passengers. In particular, it is an aim of this 
invention to propose a new method and a new system that make it possible 
5 for a controller to check the user authorization, for example a travel 
authorization stored in a portable identification module. 

DE-U 1-29707353 describes an identification system for the 
storage and recognition of data patterns. The identification of the users is 
stored with a photograph in an electronic device and can be checked at 
*6 10 fixed authorization offices. This system is not suitable for having the travel 
if authorization checked easily by a controller in the vehicle. 

| y 

- 3| WO93/20539 describes a parking system in which a car-park 

^ attendant can check with a portable computer whether every car in the 

=* parking has paid the required fee. This system is not suitable for checking 

£jj 15 tickets in public transportation. In particular, it is not easy for a controller 
3 to check the authorizations while moving. 



Patent Abstracts of Japan, Vol.1999, N° 03, 31 March 1999 and JP- 
10-340356 describe a system for having tickets checked by a controller in a 
train. The controller receives a signal that indicates whether a ticket is valid. 
20 This system is not easy for the controller who has to check the 
authorizations of several users while moving. 

Brief Summary of the Invention 

According to the present invention, these aims are achieved in 
particular through the characteristics of the independent claims. Further 
25 advantageous embodiments are moreover described in the dependent 
claims and in the description. 



In particular, these aims of the invention are achieved by storing 
the identification data and authorization data of users in an electronic 
storage area of a personal identification module of the user and then 
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forwarding them contactlessly to a portable authorization-checking device 
for reproduction. This has the advantage that a controller in a vehicle can 
check the passengers' authorization data that are stored in the passengers' 
personal terminals without the passengers having to present their 
5 identification module. Furthermore, this has the advantage that contactless 
identification modules designed for the automatic checking and billing by 
readers at the doors of the vehicle can also be checked manually by a 
controller. 

The users' identification module can for example be in the form 
of a chip-card. In a preferred embodiment it contains an additional radio 
receiver, with which data from an external sender, for example a radio 
sender, can be received, as well as reproduction means, for example a 
display and/or headphones, with which these data can be reproduced. In 
this manner, the authorization data stored in the identification module can 
also be modified "over-the-air", for example with program-accompanying 
data. 
iQ 

:|~ The identification module comprises preferably input means, for 

example a keyboard and/or a touch-screen, with which data can be 
entered. Chip-cards with a keyboard are described among others in patent 
20 application EP0813171. In this manner, confirmations to debit an account 
or the booking of a seat can be entered and forwarded over said 
contactless interface. Certain identification modules, for example stolen 
ones, can also be blocked in this manner. 
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The authorization-checking device is portable and electrically 
25 autonomous. It comprises visual reproduction means with which 
identification data and authorization data can be displayed. These 
reproduction means consist of a VRD (VirUjaXRetjna^r^pJa^). 

The identification data include biometric parameters of the user 
of the identification module. For example, these data include a photograph 
30 of the user that can be transmitted over the contactless interface and 
displayed on said authorization-checking device. In this manner, the 
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controller can check whether the identification module really belongs to 
the user. 

Description of the drawings 

Preferred embodiments of the invention will be described 
5 hereafter in more detail with the aid of the attached drawings, in which: 

Fig. 1 shows a diagrammatic view of an identification module, in 
this example a contactless chip-card, with an authorization-checking device, 
in this example glasses with a VRD. 

Fig. 2 shows a diagrammatic view of another embodiment of an 
10 identification module, here in the form of a portable radio receiver. 

Fig. 3 shows a diagrammatic view of another embodiment of an 



yy identification module, here in the form of a wristwatch. 
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M> Fig. 4 shows a diagrammatic view of a vehicle, in this example a 

bus, with an information system in which the present invention can be 
15 used. 

Fig. 5 shows a schematic block diagram of the system according 
to the invention. 



Detailed Description of the Invention 




20 chip-card 44, of a user, for example a passenger, and the authorization- 
checking device 90 that is carried by a controller 9. Although the 
description shows in detail the example of checking tickets in a public 
transportation vehicle, for example in a bus, train, boat, airplane or subway 
train, this invention can also be used for checking other kinds of 

25 authorizations, for example admission tickets for cinemas, theaters, 
exhibitions etc., for checking driver's licenses, for ski lifts etc. 



;ry terminal includes an identification module 40 in which 
user-specific>slata are stored, as well as a contactless interface 41 over which 
a local radio corh^ection can be established. The contactless interface allows 
a radio connection atclose ra,nge4typically up to a maximum of 20 meters) 
and comprises preferably^aTchip 4 Of or example a RFID (Radio Frequency 
Identification) chip, and an^SMhna 410, for example a coil. The chip 
comprises a radio part and data processing means and can send and receive 
data in a defined frequency range, foXexample in an ISM (Industrial 
Scientific and Medical Applications) rangfesor in a frequency range between 
2.4 to 2.5 GHz. Depending on the frequencyosed, the antenna 410 can also 
be integrated in the chip or consist of a wound coH 

Identification data and authorization data of the user are stored 
in various stbrage areas in the identification module. The user's 
identification\data comprise preferably the user's identity, for example his 
name and/or user number. If the identification mqaule 4/can also be used 
as a SIM (Subscriber Identification Module) card inVmobile telephone, the 
user's identity camalso consist of his IMSI (International Mobile Subscriber 
Identification) number in the mobile radio network. In a variant 
embodiment, the identification data comprise also biometric parameters of 
the user, for example aVhotograph, voice parameters, iris and/or retina 
parameters, a finger prin\ etc. With these biometric parameters, it can be 
reliably determined whetnfer the user of the identification module is also 
the rightful owner. \ 



\Qepending on the application, the authorization data can 
include diffefeiqttypes of data. If the identification module 4 is used for 
identifying passeng-e^s in public transportation, the authorization data 
comprise for example tFYevtype and validity of the user's ticket or season 
ticket, his seat bookings, poss4bte blocking data if the season ticket has 
been blocked etc. These data are>ceferably stored in a secured area of the 
module that cannot be modified by "abuser alone. 



The identification data, for example the name, the user number 
and/or the user's biometric parameters, as well as the authorization data. 
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for example the data relating to the season ticket, can be printed on an 
area 440 of the chip-card's surface, so that the identification module can be 
checked by a visual inspection and without authorization-checking device. 

The contactjess ^inter face 41 preferably allows a bi-directional 
data transfer with external devicesr-among others with an authorization- 
checking device 90. Preferably, a standardized protocol is used for this 
interface, for example the Bluetooth or HomeRF protocol, so that 
standard izedcterm[nals^can be used. The contactless interface 41 can also 
consist of a RFID (Radio Frequency Identification) element. According to the 
embodiment, the terminal 4 has its own energy supply means, for example 
a battery or solar cell, or can be powered by the external device 90. In a 
variant embodiment, the terminal 4 is powered by transparent solar cells in 
the user's glasses. 

\Over the contactless interface 41, the external portable 
authorizatio>HQhecking device 90 can access the user's identification and 
authorization data>Rdr e produce these data optically and/or acoustically. 
The authorization-checkm^efvdevice comprises a housing 91 with a 
contactlessjnte rface u sing the^ame protocol and the same frequency as 
the identification modul e 4> Jhe hobsjng 91 accommodates the entire 
electronics (contactless interface, data processing means, battery and/or 
solar cells, optional additional radio receive r&tc^. 

In the represented example, the authorization-checking device 90 
is integrated in glasses that are worn by a controller 9. The authorization- 
checking device comprises a VRD (Virtal Retina Display) device 92 that 
projects an image directly onto the retina of the user 9. Such VRD devices 
are proposed among others by the firm jyiicrovision-and have the 
advantage that they can be greatly miniaturized and that they have a low 
energy consumption. The projected image can superimpose over the image 
seen by the controller 9. Headphones 93 can furthermore reproduce the 
transmitted data acoustically, for example with a voice synthesizer. 
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The authorization-checking device 90 can have controls (not 
represented), for example keys and/or a touch-screen, with which the 
controller can for example have the identification and/or authorization 
data read and have all identification modules scanned. In a preferred 
5 embodiment of the invention, the authorization-checking device 90 is 
controlled by the eye of the user 9, who can give for example context- 
dependent commands by looking in predefined directions. Devices that 
react to the position of the eye are already used in photographic cameras 
np and video apparatus. 

In a preferred embodiment of the invention, the controller 9 can 
enlarge and/or enhance part of the projected image by looking during a 
certain time in the direction of this part of the image. In a variant 
embodiment, the authorization-checking device receives in a first stage for 
example an image generated in the data processing means in the housing 
91, and representing a list of identification data of all identification 
modules 4 in radio contact with the authorization-checking device 90. The 
controller sees for example a mosaic with photographs of all passengers in 
the vicinity. The controller can then decide to view the identification and 
authorization data of a specific passenger by looking during a certain time 
in the direction of the represented image of this passenger. The 
authorization-checking device then requests from the identification 
module 4 of the selected passenger that it should send the queried 
authorization data or additional identification data, which are then, in a 
second stage, reproduced to the controller in a second image. 

25 In a variant embodiment, the controller cannot access the user- 

specific data of this user without the latter's consent. In order for at least 
certain data to be read, the reading of these data must in this variant 
embodiment be approved by the user through a release key. 

In a variant embodiment of the invention, at least certain 
30 identification modules include a stored electronic account that can be 
loaded resp. debited with a teller and/or "over-the-air". If the 
authorization-checking device 90 has controls, the controller can preferably 
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debit this account with a corresponding command, for example if the user 
has not acquired in advance a travel authorization. Preferably, the 

^_ controller 9 sends to this effect a debit query to the terminal 4 that has to 
be confirmed by the user before the electronic money is transferred over 

5 said contactless interface to the authorization-checking device 90. 

In a variant embodiment of the invention, at least part of the 
terminals 4 have an additional radio receiver 46 over which data from an 
external sender 1 (Fig. 5) can be received. In this case,^t heTdentificat jciD__ 
m odule 4Q )ian also be integrated in a radio receiver, for example in a 
portable radio receiver 42 (Fig. 2), in a mobile telephone (not represented), 
in a palmtop or laptop computer (not represented), or in a wristwatch 43 
(Fig. 3). Terminals of different types can also be combined within a single 
vehicle. According to the embodiment, the terminal can have different 
data reproduction means 400, for example a display and/or headphones, 
and different input means 401, for example a keyboard, a touch-screen 
and/or an apparatus for determining the position of the eye. The display 
can be for example a LCD and/or preferably a VRD (Virtual Retina Display) 
and thus reproduce the operating status as well as received images and 
texts. 

20 If the terminal 4 is sufficiently voluminous, the user identification 

data and/or the authorization data can be stored in a removable chip-card, 
for example in a SIM (Subscriber Identification Module) card. In this 
manner, for example the authorization, for example a ticket, can be sold in 
the form of a chip-card that the users need only insert in their terminal. 

25 Alternatively, the identification and authorization data can also be stored 
in a secured storage area (virtual SIM card) or in a removable electronic 
module of the terminal 4. 

Electronic encryption and signature means are preferably 
provided in the terminals 4 and in the authorization-checking device 90 in 
30 order to encrypt the data transmitted over said contactless interface and to 
sign these data electronically. For this purpose, TTP (Trusted Third Party) 
services are preferably used. The identification module in the terminal 
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preferably includes an electronic certificate with which an end-to-end 
encryption up to the controller 9 can be guaranteed. In this manner it can 
be ensured that only the controller 9 can access possibly confidential data 
in the identification modules 40. 

5 The system according to the invention can also be used in order 

to check the travel authorization at ingress and egress. Figure 4 shows a 
vehicle, in this example a bus 35, with an information system in which the 
authorization-checking device according to the invention can be used. The 
information system in the vehicle comprises central data processing means 

10 2, for example a computer with appropriate interfaces, or a digital radio 
receiver with a processor, as well as an electronic bus 3 that connects the 
central data processing means 2 with a plurality of transceivers 31, 32. Each 
transceiver has an antenna oriented in the direction of the passengers. 
Certain transceivers 32 are preferably installed close to the doors in order 

15 to monitor the ingress and egress of passengers. 

^fiecentral data processing means 2 have atjeast-one-r-adio^. 
receiver 21 o^/e^wtiich data from at least one sender <{ /7, 8 (Fig.^T ^utside 
the vehicle can be recei\7e«l^According to the application, the radio receiver 
21 can receive for example DAETtBigital Audio Broadcasting) including 
accompanying data, DVB (Digital VideoBre^dcasting) including 
accompanying data, GSM (Global System for Mo&rte^Communications) or 
UMTS data including WAP data, GPS (Global PositioningSystejTi^data etc. 

These different data can be converted in the data processing 
means 2 into another format, for example in the Bluetooth format, and 
25 transmitted over the electronic bus 3 and the transceivers 31-32 to the 
passengers 36 in question. 

When a passenger 36 enters the vehicle 35 witj \his te rminal 4Jt)s 
identification data stored in the terminal 4 are collected over said 
contactless interface and the transceiver 32 near the doors and transmitted 
30 to the data processing means 2. 
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According to the embodiment and application, the transmission 
of the identification parameters when entering or leaving the vehicle 35 
can be triggered by the passengers or through the transceiver 32. The user 
identification data are read in the identification module 40 by a software 
5 program executed by the terminal 4 and transmitted by means of 

appropriate communication protocols over the contactless interface to the 
transceivers 32, where they are forwarded over the aforementioned 
electronic bus 3 to the central data processing means 2. 

The data processing means 2 can receive over said addition^ 
10 radio receiver 21 a list of authorizations (resp^ of bookings and bapred 
jffl t passengers and thus establish whether the passenger is allowea to enter or 

whether the vehicle is barred to him. If the passenger isjaan-ed from the 
vehicle, the data processing means 2 can for exampleT^ake appropriate 
measures in order to refuse access to the passepger, for example acoustic or 
optical warning signals can be activated and/or the relevant entrances 
closed^resp. not opened. If the passengeris allowed to board, the 
lg passenger can enter the vehicle an^Kake a seat. In the vehicle, additional 

IM= transceivers 31 are provided tba*t collect the identification parameters in 

the passenger's identification module 40 and forward them to the central 
20 data processing meap&'z. These data processing means can for example 
check whether tl>e^passenger is occupying the seat reserved for him in an 
allowed travef'class. For this purpose, the transmitted authorization data 
can forexample include booking information and/or travel class 
indipa^tions. 

25 When the passenger is seated at his seat, he can receive data over 

the transceiver 31 and have them reproduced or processed on his personal 
terminal 4. The data received can include for example tourist information, 
advertising, music, entertainment programs etc. Certain data can be 
generated by the vehicle's driver and transmitted over the electronic bus 3 

30 to every or to selected passengers. Other information, for example DAB or 
DVB programs and accompanying data received over the radio receiver 21, 
can be converted into an appropriate format, for example Bluetooth 
format, and addressed to the passengers 36. 
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Figure 5 shows diagrammatically how a complete system for 
checking the travel authorization for users of public transportation can be 
created. In this example, the vehicle 35 comprises central data processing 
means 2 with at least one radio receiver 21 that can receive data from an 
external sender, for example from a DAB sender 1 and/or from a device 7, 8 
connected to a mobile network. An electronic bus 3 is provided in the 
vehicle and connected with the central data processing means 2. On this 
bus, a plurality of transceivers 31, 32 on the vehicle and at the doors are 
connected, with which the users' terminals 4 can connect themselves 
contactlessly. A controller with an authorization-checking device 90 can 
connect over this contactless interface with the terminals in order to check 
the passengers' identification and authorization data. 

The terminal 4 can receive data from an external sender 1, 7, 8 
either over an integrated radio receiver 46 (radio, television or GSM) and/or 
over the electronic bus 3 and the central data processing means 2. The 
communication with external devices 7, 8 can also be bi-directional. 
Furthermore, new applications and data, for example timetables, new price 
lists etc., can also be downloaded inj his manner in the terminal A and in 
the authorization-checking device 90. If a reverse channel is available, the 
user can in this manner also buy a new authorization and download for 
example new tickets, bookings etc. 



